struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <d...@newfield.org>
Subject Re: Comments in JSON
Date Sat, 09 Jul 2011 15:10:30 GMT
If I recall correctly, this was done to help address information 
leakage.  Meaning if you're logged into a web application and also 
visiting a page on another website, that other page could have a script 
tag pointing at your web application, resulting in that data being added 
to the page scope, which other scripts on that page could then read. 
Having the resulting json data wrapped in a comment prevents that data 
from being automatically executed by the browser and added to scope, but 
doesn't prevent valid XHR requests (which enforce the same-host policy) 
from getting the result, stripping off a few characters and the exec'ing 
to get the data.

So by "resolving" this "issue" you've just made all apps built on top of 
it less secure.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message